<!DOCTYPE html>
<html id="docs" lang="en" class="">
	<head>
	<meta charset="utf-8">
<title>Policies - Kubernetes</title>
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="shortcut icon" type="image/png" href="../../../images/favicon.png">
<link rel="stylesheet" type="text/css" href="../../../css/base_fonts.css">
<link rel="stylesheet" type="text/css" href="../../../css/styles.css">
<link rel="stylesheet" type="text/css" href="https://code.jquery.com/ui/1.12.1/themes/smoothness/jquery-ui.css">
<link rel="stylesheet" type="text/css" href="https://cdnjs.cloudflare.com/ajax/libs/sweetalert/1.1.3/sweetalert.min.css">
<link rel="stylesheet" type="text/css" href="../../../css/callouts.css">
<link rel="stylesheet" type="text/css" href="../../../css/custom-jekyll/tags.css">




<meta name="description" content="Policies" />
<meta property="og:description" content="Policies" />

<meta property="og:url" content="https://kubernetes.io/docs/concepts/policy/" />
<meta property="og:title" content="Policies - Kubernetes" />

<script
src="https://code.jquery.com/jquery-3.2.1.min.js"
integrity="sha256-hwg4gsxgFZhOsEEamdOYGBf13FyQuiTwlAQgxVSNgt4="
crossorigin="anonymous"></script>
<script
src="https://code.jquery.com/ui/1.12.1/jquery-ui.min.js"
integrity="sha256-VazP97ZCwtekAsvgPBSUwPFKdrwD3unUfSGVYrahUqU="
crossorigin="anonymous"></script>
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/sweetalert/1.1.3/sweetalert.min.js"></script>
<script src="../../../js/script.js"></script>
<script src="../../../js/custom-jekyll/tags.js"></script>


	</head>
	<body>
		<div id="cellophane" onclick="kub.toggleMenu()"></div>

<header>
    <a href="../../../index.html" class="logo"></a>

    <div class="nav-buttons" data-auto-burger="primary">
        <ul class="global-nav">
            
            
            <li><a href="../../home.1">Documentation</a></li>
            
            <li><a href="../../../blog/index.html">Blog</a></li>
            
            <li><a href="../../../partners/index.html">Partners</a></li>
            
            <li><a href="../../../community/index.html">Community</a></li>
            
            <li><a href="../../../case-studies/index.html">Case Studies</a></li>
            
            
             <li>
                <a href="index.html#">
                    English <span class="ui-icon ui-icon-carat-1-s"></span>
                </a>
                <ul>
                
                    <li><a href="../../../zh/index.html">中文 Chinese</a></li>
                
                    <li><a href="../../../ko/index.html">한국어 Korean</a></li>
                
                </ul>
            </li>
         
            <li>
                <a href="index.html#">
                    v1.11 <span class="ui-icon ui-icon-carat-1-s"></span>
                </a>
                <ul>
                
                    <li><a href="https://kubernetes.io">v1.12</a></li>
                
                    <li><a href="../../../index.html">v1.11</a></li>
                
                    <li><a href="https://v1-10.docs.kubernetes.io">v1.10</a></li>
                
                    <li><a href="https://v1-9.docs.kubernetes.io">v1.9</a></li>
                
                </ul>
            </li>
        </ul>
        
        <a href="../../tutorials/kubernetes-basics/index.html" class="button" id="tryKubernetes" data-auto-burger-exclude>Try Kubernetes</a>
        <button id="hamburger" onclick="kub.toggleMenu()" data-auto-burger-exclude><div></div></button>
    </div>

    <nav id="mainNav">
        <main data-auto-burger="primary">
        <div class="nav-box">
            <h3><a href="../../tutorials/stateless-application/hello-minikube/index.html">Get Started</a></h3>
            <p>Ready to get your hands dirty? Build a simple Kubernetes cluster that runs "Hello World" for Node.js.</p>
        </div>
        <div class="nav-box">
            <h3><a href="../../home.1">Documentation</a></h3>
            <p>Learn how to use Kubernetes with the use of walkthroughs, samples, and reference documentation. You can even <a href="../../../editdocs/index.html" data-auto-burger-exclude>help contribute to the docs</a>!</p>
        </div>
        <div class="nav-box">
            <h3><a href="../../../community/index.html">Community</a></h3>
            <p>If you need help, you can connect with other Kubernetes users and the Kubernetes authors, attend community events, and watch video presentations from around the web.</p>
        </div>
        <div class="nav-box">
            <h3><a href="../../../blog/index.html">Blog</a></h3>
            <p>Read the latest news for Kubernetes and the containers space in general, and get technical how-tos hot off the presses.</p>
        </div>
        </main>
        <main data-auto-burger="primary">
        <div class="left">
            <h5 class="github-invite">Interested in hacking on the core Kubernetes code base?</h5>
            <a href="https://github.com/kubernetes/kubernetes" class="button" data-auto-burger-exclude>View On Github</a>
        </div>

        <div class="right">
            <h5 class="github-invite">Explore the community</h5>
            <div class="social">
                <a href="https://twitter.com/kubernetesio" class="twitter"><span>Twitter</span></a>
                <a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
                <a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
                <a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>Stack Overflow</span></a>
                <a href="https://discuss.kubernetes.io" class="mailing-list"><span>Forum</span></a>
                <a href="https://calendar.google.com/calendar/embed?src=nt2tcnbtbied3l6gi2h29slvc0%40group.calendar.google.com" class="calendar"><span>Events Calendar</span></a>
            </div>
        </div>
        <div class="clear" style="clear: both"></div>
        </main>
    </nav>
</header>

		
		
		<section id="hero" class="light-text no-sub">
			









<h1>Concepts</h1>
<h5></h5>








<div id="vendorStrip" class="light-text">
	<ul>
		
		
		<li><a href="../../home.1">DOCUMENTATION</a></li>
		
		
		<li><a href="../../setup/index.html">SETUP</a></li>
		
		
		<li><a href="../index.html" class="YAH">CONCEPTS</a></li>
		
		
		<li><a href="../../tasks/index.html">TASKS</a></li>
		
		
		<li><a href="../../tutorials/index.html">TUTORIALS</a></li>
		
		
		<li><a href="../../reference.1">REFERENCE</a></li>
		
	</ul>
	<div id="searchBox">
		<input type="text" id="search" placeholder="Search" onkeydown="if (event.keyCode==13) window.location.replace('/docs/search/?q=' + this.value)" autofocus="autofocus">
	</div>
</div>

		</section>
		
		
<section id="deprecationWarning">
  <main>
    <div class="content deprecation-warning">
      <h3>
        Documentation for Kubernetes v1.11 is no longer actively maintained. The version you are currently viewing is a static snapshot.
        For up-to-date documentation, see the <a href="https://kubernetes.io/docs/home/">latest</a> version.
      </h3>
    </div>
  </main>
</section>


		<section id="encyclopedia">
			
<div id="docsToc">
     <div class="pi-accordion">
    	
        
        
        
        
        
         
             
                 
             
         
             
                 
             
         
             
                 
                          
                          
                 
             
         
             
         
             
         
             
         
             
         
             
         
         
        
        <a class="item" data-title="Concepts" href="../index.html"></a>

	
	
		
		
	<div class="item" data-title="Overview">
		<div class="container">
		
		
	
	
		
		
<a class="item" data-title="What is Kubernetes?" href="../overview/index.html"></a>

		
	
		
		
<a class="item" data-title="Kubernetes Components" href="../overview/components.1"></a>

		
	
		
		
<a class="item" data-title="The Kubernetes API" href="../overview/kubernetes-api/index.html"></a>

		
	
		
		
	<div class="item" data-title="Working with Kubernetes Objects">
		<div class="container">
		
		
	
	
		
		
<a class="item" data-title="Understanding Kubernetes Objects" href="../overview/working-with-objects/kubernetes-objects.1"></a>

		
	
		
		
<a class="item" data-title="Names" href="../../user-guide/identifiers"></a>

		
	
		
		
<a class="item" data-title="Namespaces" href="../overview/working-with-objects/namespaces.1"></a>

		
	
		
		
<a class="item" data-title="Labels and Selectors" href="../../user-guide/labels"></a>

		
	
		
		
<a class="item" data-title="Annotations" href="../overview/working-with-objects/annotations.1"></a>

		
	

		</div>
	</div>

		
	
		
		
	<div class="item" data-title="Object Management Using kubectl">
		<div class="container">
		
		
	
	
		
		
<a class="item" data-title="Kubernetes Object Management" href="../../tutorials/object-management-kubectl/object-management/index.html"></a>

		
	
		
		
<a class="item" data-title="Managing Kubernetes Objects Using Imperative Commands" href="../../tutorials/object-management-kubectl/imperative-object-management-command/index.html"></a>

		
	
		
		
<a class="item" data-title="Imperative Management of Kubernetes Objects Using Configuration Files" href="../../tutorials/object-management-kubectl/imperative-object-management-configuration/index.html"></a>

		
	
		
		
<a class="item" data-title="Declarative Management of Kubernetes Objects Using Configuration Files" href="../../tutorials/object-management-kubectl/declarative-object-management-configuration/index.html"></a>

		
	

		</div>
	</div>

		
	

		</div>
	</div>

		
	
		
		
	<div class="item" data-title="Compute, Storage, and Networking Extensions">
		<div class="container">
		
		
	
	
		
		
<a class="item" data-title="Cluster Administration Overview" href="../cluster-administration/cluster-administration-overview/index.html"></a>

		
	
		
		
<a class="item" data-title="Certificates" href="../cluster-administration/certificates/index.html"></a>

		
	
		
		
<a class="item" data-title="Cloud Providers" href="../cluster-administration/cloud-providers/index.html"></a>

		
	
		
		
<a class="item" data-title="Managing Resources" href="../cluster-administration/manage-deployment/index.html"></a>

		
	
		
		
<a class="item" data-title="Cluster Networking" href="../../admin/networking"></a>

		
	
		
		
<a class="item" data-title="Logging Architecture" href="../cluster-administration/logging.1"></a>

		
	
		
		
<a class="item" data-title="Configuring kubelet Garbage Collection" href="../cluster-administration/kubelet-garbage-collection/index.html"></a>

		
	
		
		
<a class="item" data-title="Federation" href="../cluster-administration/federation/index.html"></a>

		
	
		
		
<a class="item" data-title="Proxies in Kubernetes" href="../cluster-administration/proxies/index.html"></a>

		
	
		
		
<a class="item" data-title="Controller manager metrics" href="../cluster-administration/controller-metrics/index.html"></a>

		
	
		
		
<a class="item" data-title="Installing Addons" href="../cluster-administration/addons/index.html"></a>

		
	

		</div>
	</div>

		
	
		
		
	<div class="item" data-title="Kubernetes Architecture">
		<div class="container">
		
		
	
	
		
		
<a class="item" data-title="Nodes" href="../../admin/node.1"></a>

		
	
		
		
<a class="item" data-title="Master-Node communication" href="../architecture/master-node-communication/index.html"></a>

		
	
		
		
<a class="item" data-title="Concepts Underlying the Cloud Controller Manager" href="../architecture/cloud-controller/index.html"></a>

		
	

		</div>
	</div>

		
	
		
		
	<div class="item" data-title="Extending Kubernetes">
		<div class="container">
		
		
	
	
		
		
<a class="item" data-title="Extending your Kubernetes Cluster" href="../overview/extending/index.html"></a>

		
	
		
		
	<div class="item" data-title="Extending the Kubernetes API">
		<div class="container">
		
		
	
	
		
		
<a class="item" data-title="Extending the Kubernetes API with the aggregation layer" href="../api-extension/apiserver-aggregation.1"></a>

		
	
		
		
<a class="item" data-title="Custom Resources" href="../api-extension/custom-resources/index.html"></a>

		
	

		</div>
	</div>

		
	
		
		
	<div class="item" data-title="Compute, Storage, and Networking Extensions">
		<div class="container">
		
		
	
	
		
		
<a class="item" data-title="Network Plugins" href="../../admin/network-plugins/index.html"></a>

		
	
		
		
<a class="item" data-title="Device Plugins" href="../cluster-administration/device-plugins.1"></a>

		
	

		</div>
	</div>

		
	
		
		
<a class="item" data-title="Service Catalog" href="../service-catalog/index.html"></a>

		
	

		</div>
	</div>

		
	
		
		
	<div class="item" data-title="Containers">
		<div class="container">
		
		
	
	
		
		
<a class="item" data-title="Images" href="../containers/images/index.html"></a>

		
	
		
		
<a class="item" data-title="Container Environment Variables" href="../containers/container-environment-variables/index.html"></a>

		
	
		
		
<a class="item" data-title="Container Lifecycle Hooks" href="../containers/container-lifecycle-hooks/index.html"></a>

		
	

		</div>
	</div>

		
	
		
		
	<div class="item" data-title="Workloads">
		<div class="container">
		
		
	
	
		
		
	<div class="item" data-title="Pods">
		<div class="container">
		
		
	
	
		
		
<a class="item" data-title="Pod Overview" href="../workloads/pods/pod-overview/index.html"></a>

		
	
		
		
<a class="item" data-title="Pods" href="../../user-guide/pods/index.html"></a>

		
	
		
		
<a class="item" data-title="Pod Lifecycle" href="../../user-guide/pod-states/index.html"></a>

		
	
		
		
<a class="item" data-title="Init Containers" href="../abstractions/init-containers/index.html"></a>

		
	
		
		
<a class="item" data-title="Pod Preset" href="../workloads/pods/podpreset/index.html"></a>

		
	
		
		
<a class="item" data-title="Disruptions" href="../workloads/pods/disruptions/index.html"></a>

		
	

		</div>
	</div>

		
	
		
		
	<div class="item" data-title="Controllers">
		<div class="container">
		
		
	
	
		
		
<a class="item" data-title="ReplicaSet" href="../workloads/controllers/replicaset/index.html"></a>

		
	
		
		
<a class="item" data-title="ReplicationController" href="../../user-guide/replication-controller/index.html"></a>

		
	
		
		
<a class="item" data-title="Deployments" href="../workloads/controllers/deployment/index.html"></a>

		
	
		
		
<a class="item" data-title="StatefulSets" href="../workloads/controllers/statefulset.md"></a>

		
	
		
		
<a class="item" data-title="DaemonSet" href="../workloads/controllers/daemonset.1"></a>

		
	
		
		
<a class="item" data-title="Garbage Collection" href="../workloads/controllers/garbage-collection/index.html"></a>

		
	
		
		
<a class="item" data-title="Jobs - Run to Completion" href="../workloads/controllers/jobs-run-to-completion.1"></a>

		
	
		
		
<a class="item" data-title="CronJob" href="../workloads/controllers/cron-jobs.1"></a>

		
	

		</div>
	</div>

		
	

		</div>
	</div>

		
	
		
		
	<div class="item" data-title="Configuration">
		<div class="container">
		
		
	
	
		
		
<a class="item" data-title="Configuration Best Practices" href="../configuration/overview/index.html"></a>

		
	
		
		
<a class="item" data-title="Managing Compute Resources for Containers" href="../../user-guide/compute-resources/index.html"></a>

		
	
		
		
<a class="item" data-title="Assigning Pods to Nodes" href="../../user-guide/node-selection/index.html"></a>

		
	
		
		
<a class="item" data-title="Taints and Tolerations" href="../configuration/taint-and-toleration.1"></a>

		
	
		
		
<a class="item" data-title="Secrets" href="../../user-guide/secrets.1"></a>

		
	
		
		
<a class="item" data-title="Organizing Cluster Access Using kubeconfig Files" href="../configuration/organize-cluster-access-kubeconfig/index.html"></a>

		
	
		
		
<a class="item" data-title="Pod Priority and Preemption" href="../configuration/pod-priority-preemption/index.html"></a>

		
	

		</div>
	</div>

		
	
		
		
	<div class="item" data-title="Services, Load Balancing, and Networking">
		<div class="container">
		
		
	
	
		
		
<a class="item" data-title="Services" href="../../user-guide/services"></a>

		
	
		
		
<a class="item" data-title="DNS for Services and Pods" href="../services-networking/dns-pod-service/index.html"></a>

		
	
		
		
<a class="item" data-title="Connecting Applications with Services" href="../services-networking/connect-applications-service.1"></a>

		
	
		
		
<a class="item" data-title="Ingress" href="../services-networking/ingress/index.html"></a>

		
	
		
		
<a class="item" data-title="Network Policies" href="../services-networking/networkpolicies/index.html"></a>

		
	
		
		
<a class="item" data-title="Adding entries to Pod /etc/hosts with HostAliases" href="../services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/index.html"></a>

		
	

		</div>
	</div>

		
	
		
		
	<div class="item" data-title="Storage">
		<div class="container">
		
		
	
	
		
		
<a class="item" data-title="Volumes" href="../storage/volumes.1"></a>

		
	
		
		
<a class="item" data-title="Persistent Volumes" href="../../user-guide/persistent-volumes/index.html"></a>

		
	
		
		
<a class="item" data-title="Storage Classes" href="../storage/storage-classes.1"></a>

		
	
		
		
<a class="item" data-title="Dynamic Volume Provisioning" href="../storage/dynamic-provisioning/index.html"></a>

		
	
		
		
<a class="item" data-title="Node-specific Volume Limits" href="../storage/storage-limits/index.html"></a>

		
	

		</div>
	</div>

		
	
		
		
	<div class="item" data-title="Policies">
		<div class="container">
		
		
	
	
		
		
<a class="item" data-title="Resource Quotas" href="resource-quotas/index.html"></a>

		
	
		
		
<a class="item" data-title="Pod Security Policies" href="../../user-guide/pod-security-policy"></a>

		
	

		</div>
	</div>

		
	






     </div> 
    <button class="push-menu-close-button" onclick="kub.toggleToc()"></button>
</div> 

			<div id="docsContent">
				
	 
    
    
    <p><a href="../../editdocs#docs/concepts/policy/resource-quotas.md" id="editPageButton">Edit This Page</a></p>

<h1>Resource Quotas</h1>



<p>When several users or teams share a cluster with a fixed number of nodes,
there is a concern that one team could use more than its fair share of resources.</p>

<p>Resource quotas are a tool for administrators to address this concern.</p>









<ul id="markdown-toc">










<li><a href="index.html#enabling-resource-quota">Enabling Resource Quota</a></li>




<li><a href="index.html#compute-resource-quota">Compute Resource Quota</a></li>




<li><a href="index.html#storage-resource-quota">Storage Resource Quota</a></li>




<li><a href="index.html#object-count-quota">Object Count Quota</a></li>




<li><a href="index.html#quota-scopes">Quota Scopes</a></li>




<li><a href="index.html#requests-vs-limits">Requests vs Limits</a></li>




<li><a href="index.html#viewing-and-setting-quotas">Viewing and Setting Quotas</a></li>




<li><a href="index.html#quota-and-cluster-capacity">Quota and Cluster Capacity</a></li>




<li><a href="index.html#example">Example</a></li>




















<li><a href="index.html#what-s-next">What's next</a></li>



</ul>


<p>A resource quota, defined by a <code>ResourceQuota</code> object, provides constraints that limit
aggregate resource consumption per namespace.  It can limit the quantity of objects that can
be created in a namespace by type, as well as the total amount of compute resources that may
be consumed by resources in that project.</p>

<p>Resource quotas work like this:</p>

<ul>
<li>Different teams work in different namespaces.  Currently this is voluntary, but
support for making this mandatory via ACLs is planned.</li>
<li>The administrator creates one or more <code>ResourceQuotas</code> for each namespace.</li>
<li>Users create resources (pods, services, etc.) in the namespace, and the quota system
tracks usage to ensure it does not exceed hard resource limits defined in a <code>ResourceQuota</code>.</li>
<li>If creating or updating a resource violates a quota constraint, the request will fail with HTTP
status code <code>403 FORBIDDEN</code> with a message explaining the constraint that would have been violated.</li>
<li>If quota is enabled in a namespace for compute resources like <code>cpu</code> and <code>memory</code>, users must specify
requests or limits for those values; otherwise, the quota system may reject pod creation.  Hint: Use
the <code>LimitRanger</code> admission controller to force defaults for pods that make no compute resource requirements.
See the <a href="../../tasks/administer-cluster/quota-memory-cpu-namespace/index.html">walkthrough</a> for an example of how to avoid this problem.</li>
</ul>

<p>Examples of policies that could be created using namespaces and quotas are:</p>

<ul>
<li>In a cluster with a capacity of 32 GiB RAM, and 16 cores, let team A use 20 GiB and 10 cores,
let B use 10GiB and 4 cores, and hold 2GiB and 2 cores in reserve for future allocation.</li>
<li>Limit the &ldquo;testing&rdquo; namespace to using 1 core and 1GiB RAM.  Let the &ldquo;production&rdquo; namespace
use any amount.</li>
</ul>

<p>In the case where the total capacity of the cluster is less than the sum of the quotas of the namespaces,
there may be contention for resources.  This is handled on a first-come-first-served basis.</p>

<p>Neither contention nor changes to quota will affect already created resources.</p>

<h2 id="enabling-resource-quota">Enabling Resource Quota</h2>

<p>Resource Quota support is enabled by default for many Kubernetes distributions.  It is
enabled when the apiserver <code>--enable-admission-plugins=</code> flag has <code>ResourceQuota</code> as
one of its arguments.</p>

<p>A resource quota is enforced in a particular namespace when there is a
<code>ResourceQuota</code> in that namespace.</p>

<h2 id="compute-resource-quota">Compute Resource Quota</h2>

<p>You can limit the total sum of <a href="../../user-guide/compute-resources">compute resources</a> that can be requested in a given namespace.</p>

<p>The following resource types are supported:</p>

<table>
<thead>
<tr>
<th>Resource Name</th>
<th>Description</th>
</tr>
</thead>

<tbody>
<tr>
<td><code>cpu</code></td>
<td>Across all pods in a non-terminal state, the sum of CPU requests cannot exceed this value.</td>
</tr>

<tr>
<td><code>limits.cpu</code></td>
<td>Across all pods in a non-terminal state, the sum of CPU limits cannot exceed this value.</td>
</tr>

<tr>
<td><code>limits.memory</code></td>
<td>Across all pods in a non-terminal state, the sum of memory limits cannot exceed this value.</td>
</tr>

<tr>
<td><code>memory</code></td>
<td>Across all pods in a non-terminal state, the sum of memory requests cannot exceed this value.</td>
</tr>

<tr>
<td><code>requests.cpu</code></td>
<td>Across all pods in a non-terminal state, the sum of CPU requests cannot exceed this value.</td>
</tr>

<tr>
<td><code>requests.memory</code></td>
<td>Across all pods in a non-terminal state, the sum of memory requests cannot exceed this value.</td>
</tr>
</tbody>
</table>

<h3 id="resource-quota-for-extended-resources">Resource Quota For Extended Resources</h3>

<p>In addition to the resources mentioned above, in release 1.10, quota support for
<a href="../../user-guide/compute-resources/index.html#extended-resources">extended resources</a> is added.</p>

<p>As overcommit is not allowed for extended resources, it makes no sense to specify both <code>requests</code>
and <code>limits</code> for the same extended resource in a quota. So for extended resources, only quota items
with prefix <code>requests.</code> is allowed for now.</p>

<p>Take the GPU resource as an example, if the resource name is <code>nvidia.com/gpu</code>, and you want to
limit the total number of GPUs requested in a namespace to 4, you can define a quota as follows:</p>

<ul>
<li><code>requests.nvidia.com/gpu: 4</code></li>
</ul>

<p>See <a href="index.html#viewing-and-setting-quotas">Viewing and Setting Quotas</a> for more detail information.</p>

<h2 id="storage-resource-quota">Storage Resource Quota</h2>

<p>You can limit the total sum of <a href="../../user-guide/persistent-volumes/index.html">storage resources</a> that can be requested in a given namespace.</p>

<p>In addition, you can limit consumption of storage resources based on associated storage-class.</p>

<table>
<thead>
<tr>
<th>Resource Name</th>
<th>Description</th>
</tr>
</thead>

<tbody>
<tr>
<td><code>requests.storage</code></td>
<td>Across all persistent volume claims, the sum of storage requests cannot exceed this value.</td>
</tr>

<tr>
<td><code>persistentvolumeclaims</code></td>
<td>The total number of <a href="../../user-guide/persistent-volumes/index.html#persistentvolumeclaims">persistent volume claims</a> that can exist in the namespace.</td>
</tr>

<tr>
<td><code>&lt;storage-class-name&gt;.storageclass.storage.k8s.io/requests.storage</code></td>
<td>Across all persistent volume claims associated with the storage-class-name, the sum of storage requests cannot exceed this value.</td>
</tr>

<tr>
<td><code>&lt;storage-class-name&gt;.storageclass.storage.k8s.io/persistentvolumeclaims</code></td>
<td>Across all persistent volume claims associated with the storage-class-name, the total number of <a href="../../user-guide/persistent-volumes/index.html#persistentvolumeclaims">persistent volume claims</a> that can exist in the namespace.</td>
</tr>
</tbody>
</table>

<p>For example, if an operator wants to quota storage with <code>gold</code> storage class separate from <code>bronze</code> storage class, the operator can
define a quota as follows:</p>

<ul>
<li><code>gold.storageclass.storage.k8s.io/requests.storage: 500Gi</code></li>
<li><code>bronze.storageclass.storage.k8s.io/requests.storage: 100Gi</code></li>
</ul>

<p>In release 1.8, quota support for local ephemeral storage is added as an alpha feature:</p>

<table>
<thead>
<tr>
<th>Resource Name</th>
<th>Description</th>
</tr>
</thead>

<tbody>
<tr>
<td><code>requests.ephemeral-storage</code></td>
<td>Across all pods in the namespace, the sum of local ephemeral storage requests cannot exceed this value.</td>
</tr>

<tr>
<td><code>limits.ephemeral-storage</code></td>
<td>Across all pods in the namespace, the sum of local ephemeral storage limits cannot exceed this value.</td>
</tr>
</tbody>
</table>

<h2 id="object-count-quota">Object Count Quota</h2>

<p>The 1.9 release added support to quota all standard namespaced resource types using the following syntax:</p>

<ul>
<li><code>count/&lt;resource&gt;.&lt;group&gt;</code></li>
</ul>

<p>Here is an example set of resources users may want to put under object count quota:</p>

<ul>
<li><code>count/persistentvolumeclaims</code></li>
<li><code>count/services</code></li>
<li><code>count/secrets</code></li>
<li><code>count/configmaps</code></li>
<li><code>count/replicationcontrollers</code></li>
<li><code>count/deployments.apps</code></li>
<li><code>count/replicasets.apps</code></li>
<li><code>count/statefulsets.apps</code></li>
<li><code>count/jobs.batch</code></li>
<li><code>count/cronjobs.batch</code></li>
<li><code>count/deployments.extensions</code></li>
</ul>

<p>When using <code>count/*</code> resource quota, an object is charged against the quota if it exists in server storage.
These types of quotas are useful to protect against exhaustion of storage resources.  For example, you may
want to quota the number of secrets in a server given their large size.  Too many secrets in a cluster can
actually prevent servers and controllers from starting!  You may choose to quota jobs to protect against
a poorly configured cronjob creating too many jobs in a namespace causing a denial of service.</p>

<p>Prior to the 1.9 release, it was possible to do generic object count quota on a limited set of resources.
In addition, it is possible to further constrain quota for particular resources by their type.</p>

<p>The following types are supported:</p>

<table>
<thead>
<tr>
<th>Resource Name</th>
<th>Description</th>
</tr>
</thead>

<tbody>
<tr>
<td><code>configmaps</code></td>
<td>The total number of config maps that can exist in the namespace.</td>
</tr>

<tr>
<td><code>persistentvolumeclaims</code></td>
<td>The total number of <a href="../../user-guide/persistent-volumes/index.html#persistentvolumeclaims">persistent volume claims</a> that can exist in the namespace.</td>
</tr>

<tr>
<td><code>pods</code></td>
<td>The total number of pods in a non-terminal state that can exist in the namespace.  A pod is in a terminal state if <code>.status.phase in (Failed, Succeeded)</code> is true.</td>
</tr>

<tr>
<td><code>replicationcontrollers</code></td>
<td>The total number of replication controllers that can exist in the namespace.</td>
</tr>

<tr>
<td><code>resourcequotas</code></td>
<td>The total number of <a href="../../admin/admission-controllers/index.html#resourcequota">resource quotas</a> that can exist in the namespace.</td>
</tr>

<tr>
<td><code>services</code></td>
<td>The total number of services that can exist in the namespace.</td>
</tr>

<tr>
<td><code>services.loadbalancers</code></td>
<td>The total number of services of type load balancer that can exist in the namespace.</td>
</tr>

<tr>
<td><code>services.nodeports</code></td>
<td>The total number of services of type node port that can exist in the namespace.</td>
</tr>

<tr>
<td><code>secrets</code></td>
<td>The total number of secrets that can exist in the namespace.</td>
</tr>
</tbody>
</table>

<p>For example, <code>pods</code> quota counts and enforces a maximum on the number of <code>pods</code>
created in a single namespace that are not terminal. You might want to set a <code>pods</code>
quota on a namespace to avoid the case where a user creates many small pods and
exhausts the cluster&rsquo;s supply of Pod IPs.</p>

<h2 id="quota-scopes">Quota Scopes</h2>

<p>Each quota can have an associated set of scopes.  A quota will only measure usage for a resource if it matches
the intersection of enumerated scopes.</p>

<p>When a scope is added to the quota, it limits the number of resources it supports to those that pertain to the scope.
Resources specified on the quota outside of the allowed set results in a validation error.</p>

<table>
<thead>
<tr>
<th>Scope</th>
<th>Description</th>
</tr>
</thead>

<tbody>
<tr>
<td><code>Terminating</code></td>
<td>Match pods where <code>.spec.activeDeadlineSeconds &gt;= 0</code></td>
</tr>

<tr>
<td><code>NotTerminating</code></td>
<td>Match pods where <code>.spec.activeDeadlineSeconds is nil</code></td>
</tr>

<tr>
<td><code>BestEffort</code></td>
<td>Match pods that have best effort quality of service.</td>
</tr>

<tr>
<td><code>NotBestEffort</code></td>
<td>Match pods that do not have best effort quality of service.</td>
</tr>
</tbody>
</table>

<p>The <code>BestEffort</code> scope restricts a quota to tracking the following resource: <code>pods</code></p>

<p>The <code>Terminating</code>, <code>NotTerminating</code>, and <code>NotBestEffort</code> scopes restrict a quota to tracking the following resources:</p>

<ul>
<li><code>cpu</code></li>
<li><code>limits.cpu</code></li>
<li><code>limits.memory</code></li>
<li><code>memory</code></li>
<li><code>pods</code></li>
<li><code>requests.cpu</code></li>
<li><code>requests.memory</code></li>
</ul>

<h2 id="requests-vs-limits">Requests vs Limits</h2>

<p>When allocating compute resources, each container may specify a request and a limit value for either CPU or memory.
The quota can be configured to quota either value.</p>

<p>If the quota has a value specified for <code>requests.cpu</code> or <code>requests.memory</code>, then it requires that every incoming
container makes an explicit request for those resources.  If the quota has a value specified for <code>limits.cpu</code> or <code>limits.memory</code>,
then it requires that every incoming container specifies an explicit limit for those resources.</p>

<h2 id="viewing-and-setting-quotas">Viewing and Setting Quotas</h2>

<p>Kubectl supports creating, updating, and viewing quotas:</p>
<div class="highlight"><pre style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-shell" data-lang="shell">kubectl create namespace myspace

cat <span style="color:#b44">&lt;&lt;EOF &gt; compute-resources.yaml
</span><span style="color:#b44">apiVersion: v1
</span><span style="color:#b44">kind: ResourceQuota
</span><span style="color:#b44">metadata:
</span><span style="color:#b44">  name: compute-resources
</span><span style="color:#b44">spec:
</span><span style="color:#b44">  hard:
</span><span style="color:#b44">    pods: &#34;4&#34;
</span><span style="color:#b44">    requests.cpu: &#34;1&#34;
</span><span style="color:#b44">    requests.memory: 1Gi
</span><span style="color:#b44">    limits.cpu: &#34;2&#34;
</span><span style="color:#b44">    limits.memory: 2Gi
</span><span style="color:#b44">    requests.nvidia.com/gpu: 4
</span><span style="color:#b44">EOF</span>
kubectl create -f ./compute-resources.yaml --namespace<span style="color:#666">=</span>myspace

cat <span style="color:#b44">&lt;&lt;EOF &gt; object-counts.yaml
</span><span style="color:#b44">apiVersion: v1
</span><span style="color:#b44">kind: ResourceQuota
</span><span style="color:#b44">metadata:
</span><span style="color:#b44">  name: object-counts
</span><span style="color:#b44">spec:
</span><span style="color:#b44">  hard:
</span><span style="color:#b44">    configmaps: &#34;10&#34;
</span><span style="color:#b44">    persistentvolumeclaims: &#34;4&#34;
</span><span style="color:#b44">    replicationcontrollers: &#34;20&#34;
</span><span style="color:#b44">    secrets: &#34;10&#34;
</span><span style="color:#b44">    services: &#34;10&#34;
</span><span style="color:#b44">    services.loadbalancers: &#34;2&#34;
</span><span style="color:#b44">EOF</span>
kubectl create -f ./object-counts.yaml --namespace<span style="color:#666">=</span>myspace

kubectl get quota --namespace<span style="color:#666">=</span>myspace
NAME                    AGE
compute-resources       30s
object-counts           32s

kubectl describe quota compute-resources --namespace<span style="color:#666">=</span>myspace
Name:                    compute-resources
Namespace:               myspace
Resource                 Used  Hard
--------                 ----  ----
limits.cpu               <span style="color:#666">0</span>     <span style="color:#666">2</span>
limits.memory            <span style="color:#666">0</span>     2Gi
pods                     <span style="color:#666">0</span>     <span style="color:#666">4</span>
requests.cpu             <span style="color:#666">0</span>     <span style="color:#666">1</span>
requests.memory          <span style="color:#666">0</span>     1Gi
requests.nvidia.com/gpu  <span style="color:#666">0</span>     <span style="color:#666">4</span>


kubectl describe quota object-counts --namespace<span style="color:#666">=</span>myspace
Name:                   object-counts
Namespace:              myspace
Resource                Used    Hard
--------                ----    ----
configmaps              <span style="color:#666">0</span>       <span style="color:#666">10</span>
persistentvolumeclaims  <span style="color:#666">0</span>       <span style="color:#666">4</span>
replicationcontrollers  <span style="color:#666">0</span>       <span style="color:#666">20</span>
secrets                 <span style="color:#666">1</span>       <span style="color:#666">10</span>
services                <span style="color:#666">0</span>       <span style="color:#666">10</span>
services.loadbalancers  <span style="color:#666">0</span>       <span style="color:#666">2</span></code></pre></div>
<p>Kubectl also supports object count quota for all standard namespaced resources
using the syntax <code>count/&lt;resource&gt;.&lt;group&gt;</code>:</p>
<div class="highlight"><pre style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-shell" data-lang="shell">kubectl create namespace myspace

kubectl create quota <span style="color:#a2f">test</span> --hard<span style="color:#666">=</span>count/deployments.extensions<span style="color:#666">=</span><span style="color:#666">2</span>,count/replicasets.extensions<span style="color:#666">=</span><span style="color:#666">4</span>,count/pods<span style="color:#666">=</span><span style="color:#666">3</span>,count/secrets<span style="color:#666">=</span><span style="color:#666">4</span> --namespace<span style="color:#666">=</span>myspace

kubectl run nginx --image<span style="color:#666">=</span>nginx --replicas<span style="color:#666">=</span><span style="color:#666">2</span> --namespace<span style="color:#666">=</span>myspace

kubectl describe quota --namespace<span style="color:#666">=</span>myspace
Name:                         <span style="color:#a2f">test</span>
Namespace:                    myspace
Resource                      Used  Hard
--------                      ----  ----
count/deployments.extensions  <span style="color:#666">1</span>     <span style="color:#666">2</span>
count/pods                    <span style="color:#666">2</span>     <span style="color:#666">3</span>
count/replicasets.extensions  <span style="color:#666">1</span>     <span style="color:#666">4</span>
count/secrets                 <span style="color:#666">1</span>     <span style="color:#666">4</span></code></pre></div>
<h2 id="quota-and-cluster-capacity">Quota and Cluster Capacity</h2>

<p><code>ResourceQuotas</code> are independent of the cluster capacity. They are
expressed in absolute units.  So, if you add nodes to your cluster, this does <em>not</em>
automatically give each namespace the ability to consume more resources.</p>

<p>Sometimes more complex policies may be desired, such as:</p>

<ul>
<li>Proportionally divide total cluster resources among several teams.</li>
<li>Allow each tenant to grow resource usage as needed, but have a generous
limit to prevent accidental resource exhaustion.</li>
<li>Detect demand from one namespace, add nodes, and increase quota.</li>
</ul>

<p>Such policies could be implemented using <code>ResourceQuotas</code> as building blocks, by
writing a &ldquo;controller&rdquo; that watches the quota usage and adjusts the quota
hard limits of each namespace according to other signals.</p>

<p>Note that resource quota divides up aggregate cluster resources, but it creates no
restrictions around nodes: pods from several namespaces may run on the same node.</p>

<h2 id="example">Example</h2>

<p>See a <a href="../../tasks/administer-cluster/quota-api-object/index.html">detailed example for how to use resource quota</a>.</p>














<h2 id="what-s-next">What&#39;s next</h2>
<p>See <a href="https://git.k8s.io/community/contributors/design-proposals/resource-management/admission_control_resource_quota.md" target="_blank">ResourceQuota design doc</a> for more information.</p>





    
    

				<div class="issue-button-container">
					<p><a href="index.html"><img src="https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/concepts/policy/_index.md?pixel" alt="Analytics" /></a></p>
					
					
					<script type="text/javascript">
					PDRTJS_settings_8345992 = {
					"id" : "8345992",
					"unique_id" : "\/docs\/concepts\/policy\/",
					"title" : "Policies",
					"permalink" : "https:\/\/kubernetes.io\/docs\/concepts\/policy\/"
					};
					(function(d,c,j){if(!document.getElementById(j)){var pd=d.createElement(c),s;pd.id=j;pd.src=('https:'==document.location.protocol)?'https://polldaddy.com/js/rating/rating.js':'http://i0.poll.fm/js/rating/rating.js';s=document.getElementsByTagName(c)[0];s.parentNode.insertBefore(pd,s);}}(document,'script','pd-rating-js'));
					</script>
					<a href="index.html" onclick="window.open('https://github.com/kubernetes/website/issues/new?title=Issue%20with%20' +
					'k8s.io'+window.location.pathname)" class="button issue">Create an Issue</a>
					
					
					
					<a href="../../editdocs#docs/concepts/policy/_index.md" class="button issue">Edit this Page</a>
					
				</div>
			</div>
		</section>
		<footer>
    <main class="light-text">
        <nav>
            
            
            
            <a href="../../home.1">Documentation</a>
            
            <a href="../../../blog/index.html">Blog</a>
            
            <a href="../../../partners/index.html">Partners</a>
            
            <a href="../../../community/index.html">Community</a>
            
            <a href="../../../case-studies/index.html">Case Studies</a>
            
        </nav>
        <div class="social">
            <div>
                <a href="https://twitter.com/kubernetesio" class="twitter"><span>twitter</span></a>
                <a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
                <a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
            </div>
            <div>
                <a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>Stack Overflow</span></a>
                <a href="https://discuss.kubernetes.io" class="mailing-list"><span>Forum</span></a>
                <a href="https://calendar.google.com/calendar/embed?src=nt2tcnbtbied3l6gi2h29slvc0%40group.calendar.google.com" class="calendar"><span>Events Calendar</span></a>
            </div>
            <div>
                <a href="../../getting-started-guides/index.html" class="button">Get Kubernetes</a>
                <a href="https://git.k8s.io/community/contributors/guide" class="button">Contribute</a>
            </div>
        </div>
        <div id="miceType" class="center">
            &copy; 2018 The Kubernetes Authors | Documentation Distributed under <a href="https://git.k8s.io/website/LICENSE" class="light-text">CC BY 4.0</a>
        </div>
        <div id="miceType" class="center">
            Copyright &copy; 2018 The Linux Foundation&reg;. All rights reserved. The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our <a href="https://www.linuxfoundation.org/trademark-usage" class="light-text">Trademark Usage page</a>
        </div>
    </main>
</footer>

		<button class="flyout-button" onclick="kub.toggleToc()"></button>

<script>
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
    (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
})(window,document,'script','//www.google-analytics.com/analytics.js','ga');
ga('create', 'UA-36037335-10', 'auto');
ga('send', 'pageview');


(function () {
    window.addEventListener('DOMContentLoaded', init)

        
        function init() {
            window.removeEventListener('DOMContentLoaded', init)
                hideNav()
        }

    function hideNav(toc){
        if (!toc) toc = document.querySelector('#docsToc')
        if (!toc) return
            var container = toc.querySelector('.container')

                
                if (container) {
                    if (container.childElementCount === 0 || toc.querySelectorAll('a.item').length === 1) {
                        toc.style.display = 'none'
                            document.getElementById('docsContent').style.width = '100%'
                    }
                } else {
                    requestAnimationFrame(function () {
                        hideNav(toc)
                    })
                }
    }
})();
</script>



	</body>
</html>